mirror of
https://abf.rosa.ru/djam/kernel-5.15.git
synced 2025-02-23 10:32:54 +00:00
5488a28d4b
- rediffed most of patches, renamed files to easify further rediffs by git format-patch - thanks to abf.io/kernels_stable for some patches for kernel 5.9 - using unofficial patch for AUFS for kernel 5.10, there may be issues with stability, try to avoid using AUFS (I would have dropped it, but MagOS wants it very much) - pulled updates of AltHa from http://git.altlinux.org/gears/k/kernel-image-un-def.git?p=kernel-image-un-def.git;a=history;f=security/altha;hb=HEAD - dropped patch adding sysctl to disable disk-based swap because it has not found any usage - bpf is now in the list of LSM modules (ability to write LSM modules as BPF programs), enable it, it is potentially useful and does not seem to be harmful - keeping kernel libc headers in older kernels for now - dropped building external virtualbox guest modules because they are now included into the mainline kernel - offed building VirtualBox host modules, I do not know how to keep these binary modules in sync with userspace part of VirtualBox, users can continue using dkms - offed building kernel-shredder because it is not buildable on kernel 5.10 - updated rtl8821ce and added a dependency from its "blacklist" subpackage here (see https://github.com/tomaspinho/rtl8821ce/commit/14b536f0) It is not clear if kernel 5.10 will receive an LTS support longer than 5.4 or not. Support until Dec, 2022 is declared right now at https://www.kernel.org/category/releases.html for 5.10 and until Dec, 2025 - for 5.4. TODO: update kernel configs TODO: solve problems with version of virtualbox host modules not matching version of the virtualbox package after virtualbox is updated but kernel is not rebuilt
73 lines
3.7 KiB
Diff
73 lines
3.7 KiB
Diff
From fe0e9e1b7fc6bc4a8ca0e0473bf88297ca7020a7 Mon Sep 17 00:00:00 2001
|
|
From: "Anton V. Boyarshinov" <boyarsh@altlinux.org>
|
|
Date: Thu, 17 May 2018 08:30:25 +0000
|
|
Subject: [PATCH 2/2] Documentation for AltHa LSM
|
|
|
|
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
|
|
---
|
|
Documentation/admin-guide/LSM/AltHa.rst | 43 +++++++++++++++++++++++++
|
|
Documentation/admin-guide/LSM/index.rst | 1 +
|
|
2 files changed, 44 insertions(+)
|
|
create mode 100644 Documentation/admin-guide/LSM/AltHa.rst
|
|
|
|
diff --git a/Documentation/admin-guide/LSM/AltHa.rst b/Documentation/admin-guide/LSM/AltHa.rst
|
|
new file mode 100644
|
|
index 000000000000..0b2ad0c8dd17
|
|
--- /dev/null
|
|
+++ b/Documentation/admin-guide/LSM/AltHa.rst
|
|
@@ -0,0 +1,43 @@
|
|
+====
|
|
+AltHa
|
|
+====
|
|
+
|
|
+AltHa is a Linux Security Module currently has three userspace hardening options:
|
|
+ * ignore SUID on binaries (with exceptions possible);
|
|
+ * prevent running selected script interprers in interactive move;
|
|
+ * disable open file unlinking in selected dirs.
|
|
+
|
|
+
|
|
+It is selectable at build-time with ``CONFIG_SECURITY_ALTHA``, and should be
|
|
+enabled in runtime by command line option ``altha=1`` and configuded
|
|
+through sysctls in ``/proc/sys/kernel/altha``.
|
|
+
|
|
+NoSUID
|
|
+============
|
|
+Modern Linux systems can be used with minimal (or even zero at least for OWL and ALT) usage of SUID programms, but in many cases in full-featured desktop or server systems there ara plenty of them: uncounted and sometimes unnessesary. Privileged programms are always a attack surface, but mounting filesystems with ``nosuid`` flag doesn't provide enouth granularity in SUID binaries manageent. This LSM module provides a single control point for all SUID binaries. When this submodule is enabled, SUID bits on all binaries except explicitally listed are system-wide ignored.
|
|
+
|
|
+Sysctl parameters and defaults:
|
|
+
|
|
+* ``kernel.altha.nosuid.enabled = 0``, set to 1 to enable
|
|
+* ``kernel.altha.nosuid.exceptions =``, colon-separated list of enabled SUID binaries, for example: ``/bin/su:/usr/libexec/hasher-priv/hasher-priv``
|
|
+
|
|
+RestrScript
|
|
+============
|
|
+There is a one way to hardening: prevent users from executing ther own arbitrary code. Thraditionally it can be done setting on user-writable filesystems ``noexec`` flag. But modern script languages such as Python also can be used to write exploits or even load arbitary machine code via ``dlopen`` and users can start scripts from ``noexec`` filesystem starting interpreter directly.
|
|
+Restrscript LSM submodule provides a way to restrict some programms to be executed directly, but allows to execute them as shebang handler.
|
|
+
|
|
+Sysctl parameters and defaults:
|
|
+
|
|
+* ``kernel.altha.rstrscript.enabled = 0``, set to 1 to enable
|
|
+* ``kernel.altha.rstrscript.interpreters =``, colon-separated list of restricted interpreters for example: ``/usr/bin/python:/usr/bin/python3:/usr/bin/perl:/usr/bin/tclsh``. Simlinks are suporrted in both ways: you can set symlink to interpreter as exception and interpreter and all symlinks on it will be restricted.
|
|
+
|
|
+Note: in this configuration all scripts starting with ``#!/usr/bin/env python`` will be blocked.
|
|
+
|
|
+OLock
|
|
+============
|
|
+Unlink disabling for open files needed for Russian sertification, but this is a nasty feature leading to DOS.
|
|
+
|
|
+Sysctl parameters and defaults:
|
|
+
|
|
+* ``kernel.altha.olock.enabled = 0``, set to 1 to enable
|
|
+* ``kernel.altha.olock.dirs =``, colon-separated list of dirs, for example: ``/var/lib/something:/tmp/something``.
|
|
diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
|
|
index a6ba95fbaa9f..20b57e7adadd 100644
|
|
--- a/Documentation/admin-guide/LSM/index.rst
|
|
+++ b/Documentation/admin-guide/LSM/index.rst
|
|
@@ -47,3 +47,4 @@ subdirectories.
|
|
tomoyo
|
|
Yama
|
|
SafeSetID
|
|
+ AltHa
|
|
--
|
|
2.25.1
|
|
|